Data Protection Policy

1. About this Policy

1.1 This Policy is to help clubs, County Football Associations, and football leagues deal with data protection matters internally. This should be kept with other club policies and a copy should be given (or made available) to all staff members, volunteers, and others who come into contact with personal data during the course of their involvement with the club.
1.2 Bristol Manor Farm FC [Club], the Gloucestershire FA [County FA], and the Southern League [League] handle personal data about current, former, and on occasion prospective players [and their parents or guardians], employees, volunteers, committee members, other Club/ County FA/League members, referees, coaches, managers, contractors, third parties, suppliers, and any other individuals that we communicate with.
1.3 In your official capacity with the Club/ County FA/League, you may process personal data on our behalf, and we will process personal data about you. We recognise the need to treat all personal data in an appropriate and lawful manner, in accordance with the UK General Data Protection Regulation (UK GDPR).
1.4 Correct and lawful treatment of this data will maintain confidence in the Club / County FA / League and protect the rights of players and any other individuals associated with the Club / County FA / League. This Policy sets out our data protection responsibilities and highlights the obligations of the Club / County FA / League, which means the obligations of our employees, committee, volunteers, members, and any other contractor or individual acting for or on behalf of the Club / County FA / League.
1.5 You are obliged to comply with this policy when processing personal data on behalf of the Club / County FA / League, and this policy will help you to understand how to handle personal data.
1.6 The Club / County FA / League committee will be responsible for ensuring compliance with this Policy. Any questions about this Policy or data protection concerns should be referred to the committee.
1.7 We process personal data for administrative and Club / County FA / League management purposes. Our purpose for holding this personal data is to be able to contact relevant individuals on Club / County FA / League business, and our legal basis for processing your personal data in this way is the contractual relationship we have with you. We will keep this data for 12 months after the end of your official relationship with the Club / County FA / League, unless required otherwise by law.

2. What we need from you

2.1 To assist with our compliance with GDPR, we will need you to comply with the terms of this policy. Please ensure that you:

  • Only process data in accordance with our Privacy Notice.
  • Only process personal data for the purposes for which it was collected.
  • Do not ask for further information without prior authorisation from the committee.
  • Update personal data if requested by an individual.
  • Comply with our data retention policies and securely delete/destroy outdated data.
  • Treat all personal data as confidential and store it securely.
  • Seek approval before using new electronic systems for data storage.
  • Consult with the committee before sharing data outside the FA structure.
  • Report any suspected data breaches immediately to the committee.

3. Data Protection Principles

3.1 Anyone processing personal data must comply with the following principles:

  • Processed lawfully, fairly, and transparently.
  • Collected for specified, legitimate purposes.
  • Adequate, relevant, and limited to necessity.
  • Accurate and up to date.
  • Kept only as long as necessary.
  • Processed securely to protect against unauthorised access, loss, or damage.

4. Fair and Lawful Processing

4.1 Our data processing is conducted fairly and in accordance with GDPR regulations.
4.2 We process data based on legal grounds such as contractual necessity, legitimate interests, and individual consent.

5. Processing for Limited Purposes

5.1 We collect and process personal data for Club/County FA/League purposes only.
5.2 Individuals are informed of the purposes for which their data is collected.

6. Consent

6.1 Individuals provide explicit, informed consent where necessary.
6.2 Consent can be withdrawn at any time.
6.3 Parental consent is required for processing children’s data.

7. Notifying Individuals

7.1 When collecting personal data, we inform individuals about:

  • The purposes and legal basis for processing.
  • The rights of data subjects.
  • Data retention periods.
  • Any sharing of data with third parties.

8. Data Accuracy and Retention

8.1 We ensure personal data is accurate and updated regularly.
8.2 Data is deleted or anonymised when no longer needed.

9. Data Security

9.1 We implement security measures such as:

  • Access controls and locked storage.
  • Secure disposal of personal data.
  • Password protection for electronic files.
  • Secure handling of personal devices.

10. Data Sharing and Transfers

10.1 We share personal data only where necessary and under GDPR-compliant contracts.
10.2 Data transfers outside the UK require appropriate safeguards.

11. Reporting a Data Breach

11.1 Any data breaches must be reported to the committee immediately.
11.2 We will assess whether regulatory notification is required.

12. Subject Access Requests

12.1 Individuals may request access to their data. Requests should be forwarded to the committee for review.
12.2 We verify identities before disclosing personal data.

13. Accountability

13.1 The Club / County FA / League is responsible for demonstrating GDPR compliance by:

  • Providing privacy notices at data collection points.
  • Training staff and volunteers on GDPR responsibilities.
  • Reviewing and improving data protection measures regularly.

14. Changes to this Policy

We reserve the right to update this policy as required. Any changes will be communicated appropriately.

Scroll to Top